Google Redirect, 8 steps completed

By christo76
Nov 17, 2009
Topic Status:
Not open for further replies.
  1. My roommate apparently got a virus or more, on her computer. It was one of those fake shields with pop-ups saying things were infected that asking you to pay for software. I managed to get rid of that (I think). But then she noticed that google links were being re-directed to random sites.

    I searched here, and found several similar cases, so I ran through the 8 steps. Log sheets are attached.

    I also ran combofix, which seemed to be the next step in all the posts. Though I now see the sticky saying not to run it unless told, my bad. It did seem to have some issues running. I ran it once, and it downloaded a new version then during autoscan, a Microsoft error window (PEV.exe needed to close... do you want to send report...), but Combofix was still running so I just ignored the window. CF then restarted the computer after saying it found an infection. On start-up it CF came up and said it couldn't find Combo-fix.sys, then said it was creating a log sheet, then the computer just restarted, and CF never came back up. I renamed combofix to combo-fix and re-ran. This time, no windows popped up, it found no infections, but after it said it was creating a log sheet, it just restarted again and combofix never came back up. I looked and found the log sheet but it didn't really have any details, basically same as the one attached. I ran it a third time, and it found an infection, restarted, said it was creating log sheet, then restarted again, with no log sheet displayed.

    The google redirect is still there. Any help would be greatly appreciated.
  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,450   +135

    Delete or fix this entry in the hijackthis log:
    "O17 - HKLM\System\CCS\Services\Tcpip\..\{D34AE06B-90B9-4A29-884C-130EC9D093FA}: NameServer = 151.164.8.201,66.73.20.40"

    After you fix this, try running the ESET Online Scanner:
    Eset Scanner

    Post your results
  3. kritius

    kritius TechSpot Guru Posts: 2,087

    Thats not the complete ComboFix log, post it. Should be C:\ComboFix.txt

    Don't fix that HijackThis entry.
  4. christo76

    christo76 Newcomer, in training Topic Starter Posts: 18

    I already 'fixed' the entry, and was running the enet scanner. Is there a way to replace that entry if needed?

    As for the combofix log, that is all there is in c:\combofix.txt Though technically it is C:\Combo-fix\combofix.txt if that makes any difference.

    I tried running combofix a few times and each time it restarts right after it says its preparing the log, and it never brings it up.
  5. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,450   +135

    So kritius,
    you are a combofix advocate. I saw those tcpip entries in 3 hijackthis logs of computers suffering with search redirect issues here. Some of the IP adresses go to sites, others go nowhere. How do you tell if these are legitimate or not? With browser redirects, this tcpip entry was a logical concern
  6. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,450   +135

    Are you still being redirected? What were the ESET results?
  7. kritius

    kritius TechSpot Guru Posts: 2,087

    Whois the entry, they come up legit.

    Delete the copy of ComboFix that you have off your desktop and then,

    Download ComboFix from one of these locations:

    Link 1
    Link 2


    * IMPORTANT !!! Save ComboFix.exe to your Desktop


    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


    [​IMG]


    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    [​IMG]


    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  8. christo76

    christo76 Newcomer, in training Topic Starter Posts: 18

    Eset is still running. I can't tell if its still re-directing because the internet connection seems to be down now. Don't know if Eset is just running off of my computer now or if it was able to maintain a connection, but IE and Firefox just bring up the "can't find the page" window.

    If that entry is an issue, I may have more problems. The same (or nearly identical) entry is listed twice on this computer, which has had no issues at all. See log attached
  9. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,450   +135

    Yes christo76,
    That line 17 entry is back with an addition... Let ESET finish and we will see if the redirects are still active
  10. christo76

    christo76 Newcomer, in training Topic Starter Posts: 18

    Tmagic, that last log was from a second computer. I posted it because it also has the O17 entry and was worried it too could have issues that haven't shown up yet.

    Right now the original computer seems to have lost all internet capabilites since deleting that line and starting Eset. If I go into Network Connections in the control panel, its an empty folder. Tried making a new connection for broadband, but the network wizard says it can't make a new one because it should just work.
  11. christo76

    christo76 Newcomer, in training Topic Starter Posts: 18

    I restored the O17 line in Hijackthis, and the internet connection is working again. Deleted Combofix and downloaded new version and it is running now.

    Eset found nothing.
  12. kritius

    kritius TechSpot Guru Posts: 2,087

    Is your ISP AT&T Internet Services?

    Lets focus on the actual malware, the redirects will be caused by a modified file, HijackThis will not show this, ESET will not help it.

    We need to get a ComboFix log so we can see what file it is.
  13. kritius

    kritius TechSpot Guru Posts: 2,087

     
  14. christo76

    christo76 Newcomer, in training Topic Starter Posts: 18

    Yes, ATT DSL is my internet service. Combofix ran and once again the log is basically empty. It finished the 50 stages, the window said "preparing log... Do not run any programs..." than after about 3-5 seconds the computer just restarted. Combofix never came back up, and after a few minutes I looked at the combofix.txt and it was same as the one posted earlier.

    I realized I have been running the computer in selective start-up for the past few days, due to slow performance and the initial Fake AV. DOn't know if that has any effect on the combofix log. But I put it back to normal startup and am running combofix again, hoping to get a full log.
  15. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,450   +135

    At least, I got your attention :) I connect to the Internet through a cable broadband router. Is that why the tcpip entry doesn't show up in my hijackthis log?
  16. christo76

    christo76 Newcomer, in training Topic Starter Posts: 18

    Tried combofix again, this time in normal startup, but I get the exact same thing. It says its preparing the log, then the computer restarts, and combofix doesn't start back up and the log just shows the initial info of times, locations and AV software.

    Is there anything that causes this?
  17. kritius

    kritius TechSpot Guru Posts: 2,087

    Some AV's can cause this, completely uninstall Avast and try again.

    If that doesn't work, look in the qoobox folder for a file called ComboFix deletions or similar, post it here.

    Then,

    Please download GMER from one of the following locations and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zipped Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

      [​IMG]
    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.
    -- If you encounter any problems, try running GMER in Safe Mode.
  18. christo76

    christo76 Newcomer, in training Topic Starter Posts: 18

    Combofix still didn't create full log. Should I uninstall superantispyware? I have it turned off while running combofix, but it does come up when the computer restarts.

    Inside the qoobox folder there is 2 files, ndis.sys & loga. And 5 folders, BackEnv, LastRun, Quarantine, Test, TestC. None seem to have any files related to combofix or deletions.

    I ran GMER. Here is the results.

    GMER 1.0.15.15227 - http://www.gmer.net
    Rootkit scan 2009-11-18 19:01:20
    Windows 5.1.2600 Service Pack 3
    Running: oxs2vvqd.exe; Driver: C:\DOCUME~1\JULIEP~1\LOCALS~1\Temp\uxtdypod.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xED3EC0B0]

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!_abnormal_termination + 451 804E2AAD 3 Bytes [C0, 3E, ED] {SAR BYTE [ESI], 0xed}

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\00000340 -> \Driver\atapi \Device\Harddisk0\DR0 82F52170

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

    ---- EOF - GMER 1.0.15 ----
  19. kritius

    kritius TechSpot Guru Posts: 2,087

    Ok, download this file. HERE , save it to your C:\ Drive

    then go to start and then run and type cmd

    cd\
    c:\mbr.exe -t
    c:\mbr.log

    A log file (c:\mbr.log) will open. Post the contents of it to your reply
  20. christo76

    christo76 Newcomer, in training Topic Starter Posts: 18

    Here is the mbr.log


    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F52170]<<
    kernel: MBR read successfully
    user & kernel MBR OK
  21. kritius

    kritius TechSpot Guru Posts: 2,087

    Ok,

    I think I know what the problem is.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      *atapi.sys
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  22. christo76

    christo76 Newcomer, in training Topic Starter Posts: 18

    SystemLook v1.0 by jpshortstuff (29.08.09)
    Log created at 10:55 on 19/11/2009 by Julie Peil (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "*atapi.sys"
    C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [06:39 01/10/2008] [05:59 04/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
    C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [05:59 04/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
    C:\WINDOWS\system32\drivers\atapi.sys --a--- 96512 bytes [12:00 23/08/2001] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674

    -=End Of File=-
  23. kritius

    kritius TechSpot Guru Posts: 2,087

    Ok,

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • C:\WINDOWS\system32\drivers\atapi.sys
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.

    Do these too

    C:\WINDOWS\ServicePackFiles\i386\atapi.sys
    C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
  24. christo76

    christo76 Newcomer, in training Topic Starter Posts: 18

    It says it found nothing. It wouldn't let me rescan the second file (C:\WINDOWS\ServicePackFiles\i386\atapi.sys) Just gave the results of other peoples scans, all with nothing found.

    Here is the results of the other 2 I could scan.

    VirSCAN.org Scanned Report :
    Scanned time : 2009/11/19 11:01:02 (CST)
    Scanner results: Scanners did not find malware!
    File Name : atapi.sys
    File Size : 96512 byte
    File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
    MD5 : 9f3a2f5aa6875c72bf062c712cfa2674
    SHA1 : a719156e8ad67456556a02c34e762944234e7a44
    Online report : http://virscan.org/report/34deb68e61363bfaf0b7f37d18e0ca6b.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091119220623 2009-11-19 4.08 -
    AhnLab V3 2009.11.19.01 2009.11.19 2009-11-19 0.93 -
    AntiVir 8.2.1.72 7.10.0.234 2009-11-19 0.09 -
    Antiy 2.0.18 20091118.3273892 2009-11-18 0.02 -
    Arcavir 2009 200911190236 2009-11-19 0.17 -
    Authentium 5.1.1 200911191114 2009-11-19 1.41 -
    AVAST! 4.7.4 091119-1 2009-11-19 0.02 -
    AVG 8.5.288 270.14.73/2513 2009-11-19 0.34 -
    BitDefender 7.81008.4553889 7.29017 2009-11-19 3.84 -
    CA (VET) 35.1.0 7129 2009-11-18 6.92 -
    ClamAV 0.95.2 10046 2009-11-19 0.02 -
    Comodo 3.12 2979 2009-11-18 0.82 -
    CP Secure 1.3.0.5 2009.11.19 2009-11-19 0.07 -
    Dr.Web 4.44.0.9170 2009.11.19 2009-11-19 7.06 -
    F-Prot 4.4.4.56 20091119 2009-11-19 1.42 -
    F-Secure 7.02.73807 2009.11.19.17 2009-11-19 0.15 -
    Fortinet 2.81-3.120 11.68 2009-11-19 0.24 -
    GData 19.8894/19.570 20091119 2009-11-19 5.54 -
    ViRobot 20091119 2009.11.19 2009-11-19 0.41 -
    Ikarus T3.1.01.74 2009.11.19.74556 2009-11-19 4.26 -
    JiangMin 11.0.800 2009.11.19 2009-11-19 4.32 -
    Kaspersky 5.5.10 2009.11.19 2009-11-19 0.11 -
    KingSoft 2009.2.5.15 2009.11.19.19 2009-11-19 0.53 -
    McAfee 5.3.00 5806 2009-11-18 3.42 -
    Microsoft 1.5302 2009.11.19 2009-11-19 6.25 -
    Norman 6.01.09 6.01.00 2009-11-19 4.01 -
    Panda 9.05.01 2009.11.18 2009-11-18 1.78 -
    Trend Micro 9.000-1003 6.636.02 2009-11-19 0.00 -
    Quick Heal 10.00 2009.11.19 2009-11-19 1.25 -
    Rising 20.0 22.22.03.09 2009-11-19 0.94 -
    Sophos 3.01.0 4.47 2009-11-19 2.84 -
    Sunbelt 5518 5518 2009-11-18 1.76 -
    Symantec 1.3.0.24 20091118.003 2009-11-18 0.18 -
    nProtect 20091119.02 6250287 2009-11-19 3.52 -
    The Hacker 6.5.0.2 v00074 2009-11-19 0.75 -
    VBA32 3.12.12.0 20091118.1659 2009-11-18 2.13 -
    VirusBuster 4.5.11.10 10.113.23/1992986 2009-11-19 2.40 -


    VirSCAN.org Scanned Report :
    Scanned time : 2009/11/19 11:05:25 (CST)
    Scanner results: Scanners did not find malware!
    File Name : atapi.sys
    File Size : 95360 byte
    File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
    MD5 : cdfe4411a69c224bd1d11b2da92dac51
    SHA1 : a42fbfeb5a4d94118b483d7f18113aa8c329a052
    Online report : http://virscan.org/report/bc653db8c6a42bf4183c8af8b4903335.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091119220623 2009-11-19 13.80 -
    AhnLab V3 2009.11.19.01 2009.11.19 2009-11-19 1.06 -
    AntiVir 8.2.1.72 7.10.0.234 2009-11-19 0.39 -
    Antiy 2.0.18 20091118.3273892 2009-11-18 0.02 -
    Arcavir 2009 200911190236 2009-11-19 0.17 -
    Authentium 5.1.1 200911191114 2009-11-19 1.58 -
    AVAST! 4.7.4 091119-1 2009-11-19 0.01 -
    AVG 8.5.288 270.14.73/2513 2009-11-19 0.35 -
    BitDefender 7.81008.4553889 7.29017 2009-11-19 3.92 -
    CA (VET) 35.1.0 7129 2009-11-18 15.04 -
    ClamAV 0.95.2 10046 2009-11-19 0.02 -
    Comodo 3.12 2979 2009-11-18 0.95 -
    CP Secure 1.3.0.5 2009.11.19 2009-11-19 0.07 -
    Dr.Web 4.44.0.9170 2009.11.19 2009-11-19 7.09 -
    F-Prot 4.4.4.56 20091119 2009-11-19 1.54 -
    F-Secure 7.02.73807 2009.11.19.17 2009-11-19 0.14 -
    Fortinet 2.81-3.120 11.68 2009-11-19 0.22 -
    GData 19.8894/19.570 20091119 2009-11-19 6.78 -
    ViRobot 20091119 2009.11.19 2009-11-19 0.54 -
    Ikarus T3.1.01.74 2009.11.19.74556 2009-11-19 4.43 -
    JiangMin 11.0.800 2009.11.19 2009-11-19 19.00 -
    Kaspersky 5.5.10 2009.11.19 2009-11-19 0.11 -
    KingSoft 2009.2.5.15 2009.11.19.19 2009-11-19 0.64 -
    McAfee 5.3.00 5806 2009-11-18 3.38 -
    Microsoft 1.5302 2009.11.19 2009-11-19 6.65 -
    Norman 6.01.09 6.01.00 2009-11-19 4.01 -
    Panda 9.05.01 2009.11.18 2009-11-18 7.40 -
    Trend Micro 9.000-1003 6.637.00 2009-11-19 0.00 -
    Quick Heal 10.00 2009.11.19 2009-11-19 1.28 -
    Rising 20.0 22.22.03.09 2009-11-19 0.96 -
    Sophos 3.01.0 4.47 2009-11-19 2.83 -
    Sunbelt 5518 5518 2009-11-18 2.49 -
    Symantec 1.3.0.24 20091118.003 2009-11-18 0.24 -
    nProtect 20091119.02 6250287 2009-11-19 4.26 -
    The Hacker 6.5.0.2 v00074 2009-11-19 1.02 -
    VBA32 3.12.12.0 20091118.1659 2009-11-18 2.13 -
    VirusBuster 4.5.11.10 10.113.23/1992986 2009-11-19 2.49 -
  25. christo76

    christo76 Newcomer, in training Topic Starter Posts: 18

    Kritius,
    I decided to uninstall anything I thought might be causing any issues... Firefox, IE, superAS, spyseek&destroy... Then I reran combofix..... this time the log came up with something new... still not a full log, but this..

    ComboFix 09-11-18.06 - Julie Peil 11/19/2009 23:54:16.10.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.514 [GMT -6:00]
    Running from: C:\Documents and Settings\Julie Peil\Desktop\ComboFix.exe
    .
    ComboFix encountered a terminal error!! Please upload this file - C:\ComboFix_error.dat
    to: http://www.bleepingcomputer.com/submit-malware.php?channel=4


    It won't let me upload the .dat file here. And at bleepingcomputer it wants to know what topic it was requested in.

    I will add a .txt extension so you can download and rename it to .dat if that will help.


    Also.....obviously I managed to FTP a new copy of firefox after I ran combofix, so I could upload all this. The google redirect appears to be gone. I haven't reloaded IE yet, so I don't know if that would still be affected. I know at least one other person found that when the uninstalled, then reinstalled firefox that it went away. So I don't know if the redirect portion of the virus was purely maintained within legit sections of firefox and IE, and able to avoid normal detection, or if its still in the system.

    I don't plan on trusting this computer until you tell me you think its ok. I don't want to let any other computer I have linked through the router to be online at the same time if there is any chance this virus can pass through.

    I do really appreciate all the time and effort you are doing to help me resolve this.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.